CloudsArk
Security and RBAC Kubernetes

Network Policy Security

Learn practical network policy security with kubectl commands, manifests, verification steps, common mistakes, and production-focused guidance.

9 min read Updated 2026-05-30
kubernetes network policy security

Network Policy Security

Introduction

This guide explains network policy security with practical kubectl commands, realistic output, and production-focused checks. Security and RBAC changes must be small, testable, and namespace-aware.

Why This Matters

Overbroad RBAC, privileged pods, writable root filesystems, and unrestricted network access turn small application bugs into cluster risk. Production clusters need least privilege and clear verification.

Example Configuration

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web
  namespace: app
spec:
  replicas: 3
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      containers:
      - name: web
        image: nginx:1.27
        ports:
        - containerPort: 80

Step-by-Step Configuration

kubectl get svc,endpoints -A
kubectl describe svc web -n app
kubectl get ingress -A
kubectl run curl --rm -it --image=curlimages/curl --restart=Never -- curl -I http://web.app.svc.cluster.local
kubectl get events -n app --sort-by=.lastTimestamp

Expected output:

NAME          TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)   AGE
service/web   ClusterIP   10.96.42.10   <none>        80/TCP    2d

Verification

kubectl auth can-i get pods -n app --as system:serviceaccount:app:backend
kubectl describe rolebinding -n app
kubectl get events -n app --sort-by=.lastTimestamp

Security Best Practices

  • Grant verbs only for the resources an application actually needs.
  • Prefer namespace-scoped Roles before ClusterRoles.
  • Run containers as non-root and drop unnecessary Linux capabilities.
  • Protect Secrets with RBAC and avoid printing them in logs.

Common Mistakes

  • Binding cluster-admin to application service accounts.
  • Debugging Forbidden errors without checking the exact service account identity.
  • Assuming Pod Security, RBAC, and NetworkPolicy solve the same problem.

Troubleshooting

Use kubectl auth can-i with the exact service account, namespace, verb, and resource. Then inspect RoleBindings, admission events, pod security settings, and image pull credentials.

Summary

Kubernetes security works best as layered controls: RBAC for API access, pod security for runtime boundaries, NetworkPolicy for traffic, and careful Secret handling for credentials.

Keep exploring

More Kubernetes

All articles
Security and RBAC

kubectl Auth Can I Examples

9 min read Security and RBAC

Serviceaccount Token Explained

9 min read Security and RBAC

Serviceaccount Explained

9 min read